I've got a box running RH9.0 and in the Logwatch report last night, I got the following entry;
--------------------- Kernel Begin ------------------------
8 Time(s): ICMP: 65.70.45.21: Source Route Failed.
---------------------- Kernel End -------------------------
Unfortunately, the is NOT my IP address!!! Is this telling me what I think it is, The box has been compromised????
Quoting docv [email protected]:
I've got a box running RH9.0 and in the Logwatch report last night, I got the following entry;
--------------------- Kernel Begin ------------------------
8 Time(s): ICMP: 65.70.45.21: Source Route Failed.
---------------------- Kernel End -------------------------
Unfortunately, the is NOT my IP address!!! Is this telling me what I think it is, The box has been compromised????
I strongly doubt this means you've been compromised. ICMP packets can be source routed, that is, the sender can specify the retrun route that should be taken by the recipient. If I remember correctly, source routing is generally not honored by Linux for reasons relating to security.
Looks like someone pinged you or sent you an ICMP message that specified a source routing option. Your box did not honor that option and thus you have this message in your logs.
Of course, I could be wrong. It's happened before.
All that said, you might think about upgrading from RH9 to something that's currently supported by RH (i.e. Enterprise Linux or Fedora) so you are able to keep it patched.
-- Dave Hull http://insipid.com
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of docv Sent: Tuesday, October 12, 2004 7:38 AM To: [email protected] Subject: Unsure of log report entry
I've got a box running RH9.0 and in the Logwatch report last night, I got the following entry;
--------------------- Kernel Begin ------------------------
8 Time(s): ICMP: 65.70.45.21: Source Route Failed.
---------------------- Kernel End -------------------------
Unfortunately, the is NOT my IP address!!! Is this telling me what I think it is, The box has been compromised????
What it indicates is that 65.70.45.21 tried eight times to make use of source routing. The short answer on source routing is that it's a feature of TCP/IP whereby you can direct the path a packet will follow. This could allow an attacker to cause traffic to pass through a host they have control of, to view its contents, etc. You can read up on this more in TCP/IP Illustrated, Volume I by the late W. Richard Stevens - aka The TCP/IP Bible.
Here's an interesting bit - do a whois on the host in question: 65.70.45.21
This turns out to be an SBC customer, most likely DSL. This is registered to a client named Gould Family Practice. I see from your signature below you're in medicine - is this where you work, or a competitor?
The good news is, the source routing attempt failed. This doesn't indicate you have been hacked, but this type of traffic certainly isn't normal. Someone is rattling the fence. Dustin
-
Dave Hull -
docv -
Dustin Decker